Here are two batman-adv bugfixes:

- fix a potential double free when fragment merges fail,
    by Sven Eckelmann
 
  - fix failing tranmission of the 16th (last) fragment if that exists,
    by Linus Lüssing
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEE1ilQI7G+y+fdhnrfoSvjmEKSnqEFAli27gkWHHN3QHNpbW9u
 d3VuZGVybGljaC5kZQAKCRChK+OYQpKeofqQD/0Z/wUItUuS1pODZdcHLrhvc9q0
 0O2L0Uujzm+IHRXkv+3ZatedM3vnqq03w2WIdOf3BAPbkvY+zXO4TRQziE8PKy1p
 aMdC4A/jeGg1c7+PSx+mxhUbRsdP8cdkO3A5AgQxYjbXBlH59595thM8p6CUnWZ0
 M4YPaI7dd3XXWYvfaQ1fBcqwhy6z9uiisv5HF99jxkaFEM2ApK8LOhbmsfJbS13M
 aPgpq/Hjde/RrDGNElmmkWYWdsGAJMnHHVCbX0e3yehJdDZeXciak4BGO0Y2HUHX
 y7M8zjmYIkha2AnmO/3rl1PdOuX/5i43Haf31ojbXx4wK4RbPG6n2NoIngRhND3E
 PRP5t3pzZq/N4nAd9Aj+NSiJadxcrnz26sX0stmVIkbAnEUvsG1yNYUP0squL0bn
 G4EjUafyKonVbayMA90lFKvXujrm3rr0q7AcgpcuJJWWRMe0oHEjbaaIz2jh722S
 S0yeoKbmaXa2Skxfe68Ptajb+ODSpsL758vRhXS/ZTFWV/3iE8wPRRKil/mkeyL/
 pqFF+qxDjRI9S/Hku1A8cegjeBAfBtCxV7A35RP1MCNjv2iltGtBNLLUqiJ9i/C8
 REvrAIgaIIsZb01yi2mLVCNg7PEg/0lD8sulqH5Dkv3amSBZr0EsmulBZMoDdgwS
 7YLi2mqa5eXfGheNOQ==
 =xy9Y
 -----END PGP SIGNATURE-----

Merge tag 'batadv-net-for-davem-20170301' of git://git.open-mesh.org/linux-merge

Simon Wunderlich says:

====================
Here are two batman-adv bugfixes:

 - fix a potential double free when fragment merges fail,
   by Sven Eckelmann

 - fix failing tranmission of the 16th (last) fragment if that exists,
   by Linus Lüssing
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2017-03-02 13:16:08 -08:00
commit 6ab2b999e7

View File

@ -239,8 +239,10 @@ err_unlock:
spin_unlock_bh(&chain->lock); spin_unlock_bh(&chain->lock);
err: err:
if (!ret) if (!ret) {
kfree(frag_entry_new); kfree(frag_entry_new);
kfree_skb(skb);
}
return ret; return ret;
} }
@ -313,7 +315,7 @@ free:
* *
* There are three possible outcomes: 1) Packet is merged: Return true and * There are three possible outcomes: 1) Packet is merged: Return true and
* set *skb to merged packet; 2) Packet is buffered: Return true and set *skb * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb
* to NULL; 3) Error: Return false and leave skb as is. * to NULL; 3) Error: Return false and free skb.
* *
* Return: true when packet is merged or buffered, false when skb is not not * Return: true when packet is merged or buffered, false when skb is not not
* used. * used.
@ -338,9 +340,9 @@ bool batadv_frag_skb_buffer(struct sk_buff **skb,
goto out_err; goto out_err;
out: out:
*skb = skb_out;
ret = true; ret = true;
out_err: out_err:
*skb = skb_out;
return ret; return ret;
} }
@ -499,6 +501,12 @@ int batadv_frag_send_packet(struct sk_buff *skb,
/* Eat and send fragments from the tail of skb */ /* Eat and send fragments from the tail of skb */
while (skb->len > max_fragment_size) { while (skb->len > max_fragment_size) {
/* The initial check in this function should cover this case */
if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) {
ret = -EINVAL;
goto put_primary_if;
}
skb_fragment = batadv_frag_create(skb, &frag_header, mtu); skb_fragment = batadv_frag_create(skb, &frag_header, mtu);
if (!skb_fragment) { if (!skb_fragment) {
ret = -ENOMEM; ret = -ENOMEM;
@ -515,12 +523,6 @@ int batadv_frag_send_packet(struct sk_buff *skb,
} }
frag_header.no++; frag_header.no++;
/* The initial check in this function should cover this case */
if (frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1) {
ret = -EINVAL;
goto put_primary_if;
}
} }
/* Make room for the fragment header. */ /* Make room for the fragment header. */